DHS to standardize cyber protections through new contract

(This story has been updated from its original version to include additional
details about the contract and quotes from DHS Director of Network Resilience John
Streufert.)

The Homeland Security Department awarded 17 companies, providing tools from more
than 20 subcontractors, a spot on the continuous monitoring and diagnostics
contract.

DHS announced the deal, which could be worth potentially $6
billion, late in the day Monday. The vendors will provide tools, hardware and
software to implement continuous-monitoring-as-a-service (CMaaS).

Under the contract, DHS will work with agencies to implement continuous
diagnostics and mitigation (CDM) tools at the network level using more than $183
million, which Congress
provided as part of the fiscal 2013 budget.

Agencies will use their own funding to implement the software and services for
specific applications or systems, said John Streufert, director of Federal Network
Resilience at DHS.

"The way the government has structured its information systems is we share
networks with multiple custom applications," he said during a press briefing after
speaking at the SANS Institute's Critical Security Controls Summit in Washington
Tuesday. "We track more than 6,000 applications which are categorized at a
moderate level of risk, and more than 1,200 applications that are categorized at a
high level for risk. Because they all share common networks across both military
and civilian government, it was the judgment of DHS that protecting the networks
first would be an important foundation and then we would overlay additional
software security protections, database protections and website protections on
top, and feed to the same dashboards that will be funded in the initial increment
under the continuous diagnostics and mitigation program."

Civilian agencies only

DHS will focus only on the civilian agencies through the CDM program.

Streufert said DHS has signed memorandums of agreements with 22 of 23 CFO Act
civilian agencies to implement the program. Only the General Services
Administration hasn't finalized its MOA to implement CDM.

"There were some internal circumstances related to the kind of technology they
have at the GSA. I'm not sure of all of their reasons, but I know a good portion
of their activity is in the cloud. I know GSA is waiting til 2014, but the good
news is that's less than six weeks away," he said. "I think we'll fold them in
quite easily as the various task orders play out. A number of the departments and
agencies have similar circumstances as GSA and what we are doing as a customer
responsive organization is to work with their internal circumstances and cue up
those who are ready to move out now, and we'll create options on the contract and
other mechanisms to add in the organizations that need a little bit of additional
time."

Streufert also said an additional 30 small or micro agencies have
expressed interest in DHS putting CDM tools on their network.

He added DHS will work with the Chief Information Officer's Council, the Office of
Management and Budget and others to determine the implementation order for
customer agencies.

Dashboard RFP coming soon

Before continuous monitoring can achieve full operating capability, DHS, working
with GSA, will award a separate contract for one or more vendors to provide
dashboards to collect and present the data pulled from the CDM tools.

Streufert said the dashboard solicitation hasn't been issued yet and still is
under development.

"Our goal is to get a standard measure of protection across government within
three years," Streufert said. "We believe that notwithstanding the three-phased
program, there may be a little bit of clean up in the following fiscal year from
the previous phase in dealing with special situations like GSA and a number of
small and micro agencies that have asked to wait until 2014."

DHS issued the request for
quotes in December. Industry has closely followed the contract, as it's the
main path agencies are heading with cybersecurity.

"If we can get industry, policy and operations people using a common set of
technical tools which have national and industry standards embedded into them, we
can not only go into the prioritization of dealing with the worst problems, but
also measure results we are getting from substantial investments," said Streufert.

The BPA winners are:

Booz Allen Hamilton

CGI

CSC

DMI

DRC

General Dynamics-IT

HP

IBM

KCG

Kratos

Lockheed Martin

ManTech

MicroTech

Northrop Grumman

SAIC

SRA

Technica

GSA's Federal Acquisition Service will run the contract, charging a 2 percent fee
for usage. GSA has set up a website portal with an ordering guide and other facts about
the continuous monitoring contract.

The contract also is open to federal, state, local and tribal governments.